L0rdRaiden Posted June 21, 2023 Share Posted June 21, 2023 Right now there is no clean way to monitor the security on Unraid OS, I think is something critical since many people is publishing dockers to internet. It's not compatible with auditd or wazuh or elastic agents or similar solutions. Right now even easy projects like crowdsec are compatible with auditd so people can easily implement some monitoring or going more advance with wazuh or other tools make use of the sigma rules, wazuh, security onion, Qradar Community edition, etc. So the request at least is to have auditd official support which is the standard way to monitor linux OS, wazuh support would be awesome as well. https://slackbuilds.org/repository/15.0/system/audit/ 4 Quote Link to comment
bobbintb Posted November 2, 2023 Share Posted November 2, 2023 (edited) I managed to enable the Linux Audit Framework for unRAID but unfortunately it requires rebuilding the kernel. It's a simple flag in the .config file when building and I don't think there is really any downside or performance hit to having it available since the package would still need to be installed to use it. I think it would be beneficial to enable this for unRAID as it open the door for a more community development. I'm working on one right now that would benefit greatly from being able to track file system changes. Edited November 6, 2023 by bobbintb 1 2 Quote Link to comment
bland328 Posted March 3 Share Posted March 3 On 11/2/2023 at 11:01 AM, bobbintb said: I managed to enable the Linux Audit Framework for unRAID but unfortunately it requires rebuilding the kernel. @bobbintb, did you happen to use any particular guide to accomplish this? Or have one in mind that you recommend? I'm also in need of auditd support, and though I have many years of Linux experience, I have yet to build a custom kernel. Thanks for any advice! Quote Link to comment
L0rdRaiden Posted March 4 Author Share Posted March 4 9 hours ago, bland328 said: @bobbintb, did you happen to use any particular guide to accomplish this? Or have one in mind that you recommend? I'm also in need of auditd support, and though I have many years of Linux experience, I have yet to build a custom kernel. Thanks for any advice! Someone told me that they might add auditd in 6.13. So I am waiting for it Quote Link to comment
ich777 Posted March 4 Share Posted March 4 The necessary options in the Kernel should be included in 6.13.x so that community developers can build a plugin around it. 1 Quote Link to comment
L0rdRaiden Posted March 4 Author Share Posted March 4 2 minutes ago, ich777 said: The necessary options in the Kernel should be included in 6.13.x so that community developers can build a plugin around it. Why it would need a plugin? To configure it via webui? Quote Link to comment
ich777 Posted March 4 Share Posted March 4 16 minutes ago, L0rdRaiden said: Why it would need a plugin? To configure it via webui? Because you would also need some application to interact with it, so to speak audit itself and also to make the settings that you configure persistent across reboots. Quote Link to comment
bobbintb Posted March 12 Share Posted March 12 On 3/3/2024 at 4:18 PM, bland328 said: @bobbintb, did you happen to use any particular guide to accomplish this? Or have one in mind that you recommend? I'm also in need of auditd support, and though I have many years of Linux experience, I have yet to build a custom kernel. Thanks for any advice! I did use a guide, or a least part of one. It will be included in version 6.13, as mentioned. I do have a compiled version on github: https://github.com/bobbintb/unRAID-audit But fair warning, I haven't looked at it in a while so I am not sure how out of date it is. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.